[Ietf-http-auth] Goals of this list?
Nicolas.Williams at sun.com
Sun Dec 18 22:51:49 PST 2005
On Sun, Dec 18, 2005 at 08:35:58PM -0800, Dick Hardt wrote:
> I have seen a number of different topics go by on this list, and not
> certain what the goal is. Here are a couple stabs at what I, with my
> little bitty brain, have gathered are the potential goals:
> 1) new mechanism for secure credential exchange that addresses the
> issues with digest mode of basic auth
> 2) ways for authentication mechanisms other than username/password be
> used to authenticate to a server eg. SAML, SXIP, Infocard/WS-*, Kerberos
> Given the ease of MITM today if TLS is not used, and that someone
> could easily monitor and hijack a running session, I don't think (1)
> is possible. (but always keen to learn new things!)
Password based mechanisms can be resistant to MITM attacks, but only if
the password equivalent/verifier held by the server is salted uniquely
and not shared with other servers or if the mechanism is a
proxied-Kerberos type mechanism (think EAP).
> (2) is what I joined the list for.
More information about the Ietf-http-auth